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About this Guide 
About Qualys 


About this Guide 


Thank you for your interest in Qualys Context Extended Detection and Response (XDR). 


Qualys Context Extended Detection and Response (XDR) is a next-gen Security Analytics 
and Incident Response solution that natively integrates and correlates security telemetry 
across the security stack for an end-to-end platform. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also 
founding member of the Cloud Security Alliance (CSA). For more information, please visit 
www.qualys.com 


Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access support information at www.qualys.com/support/ 


About XDR 


About XDR 


Qualys Context Extended Detection and Response (XDR) enables you to collect event data 
from various assets by leveraging the qualys cloud agents. You can also configure XDR to 
ingest 3rd party logs to extend detection. Qualys uses several algorithms in the 
background to correlate the data coming from these varying sources to offer you a single- 
pane view of your security posture. 


A typical organization deploys several products and applications like firewall, Intrusion 
Prevention Systems (IPS), vulnerability management systems, EDRs, and a plethora of 
other systems to secure their organization against cyber threats. Qualys Context XDR 
leverages the infrastructure existing for other Qualys products like the cloud agents and 
other sensors to ingest real-time telemetry from all of these systems and collate it all on 
the qualys cloud platform. Qualys Context XDR then integrates this with the data already 
existing on the Qualys cloud platform from different qualys products to offer interesting 
insights out-of-the-box on the XDR dashboards. 


Qualys splits the enabling process over several phases as listed below: 


Á Day 4 - Incident Mgmt 
Day 3 — Detection Model 
A Spl ab 
4 te nile bed |- Correlation Rules 
4 Day 1 - Data Collection |- 10; Analytics Dashboard 


* Log Enrichment 


* Signal Investigation 


* Context Enrichment 
* Behavior Rules 


* Special Object Setup 
* Leverage Tags 


Day 0 - Deployment + 3" party Log Collection 


+ SIEM Data Ingestion 


* Search Queries 


* Customer Activation 


* Windows Log Collection 


* Appliance Deployment 


* Syslog Collector Setup 
* Windows Agent 


To know more information on above phases, refer to the Enablement Guides in the Online 
Help. 


Get Started with XDR 


Get Started with XDR 


With Qualys Context XDR, you can collect event data from various assets by leveraging 
the qualys cloud agents. You can also configure XDR to ingest 3rd party logs to extend 
detection. Qualys uses several algorithms in the background to correlate the data coming 
from these varying sources to offer you a single-pane view of your security posture. 


Follow the instructions in these sections to configure Qualys Context XDR to collect data: 
Set Up Qualys Cloud Agents 
Set Up Third-party Data Collection 

After successfully setting up Qualys Context XDR, you will be able to: 


View events and signals from the configured data sources. See the Threat Management 
section for more information. 


Configure Qualys Context XDR to use real-time threat intelligence and machine learning 
to automatically prioritize vulnerabilities. See the Rules section for more information. 


Qualys Context XDR Dashboards 


Qualys Context XDR integrates with Unified Dashboard (UD) to bring information from all 
Qualys applications into a single place for visualization. UD provides a powerful, new 
dashboard framework along with platform service that will be consumed and used by all 
other products to enhance the existing dashboard capabilities. 


Qualys Context XDR offers several dashboards out-of-the-box. Each dashboard displays a 
short description of the information it offers. You can also easily configure widgets to pull 
information from other modules/applications and add them to your dashboard. You can 
also add as many dashboards as you like to customize your view. 


Get Started with XDR 
Set Up Qualys Cloud Agents 


Set Up Qualys Cloud Agents 


Qualys Context XDR allows you to leverage existing qualys cloud agents to collect event 
logs from assets on which agents are deployed. You can also deploy fresh agents and 
configure them to collect logs for XDR. 


Note: If you do not have qualys cloud agents deployed already, follow the instructions in 
the qualys cloud agent getting started guide or refer the online help to install and deploy 
cloud agents on your assets. 


Follow these steps to configure existing qualys cloud agents to collect event logs: 
1. Enable XDR via configuration profile 

2. Activate Cloud Agents for XDR 

3. Configure a Cloud Agent Profile 


To know more information on above steps, refer the Online Help. 


Set Up Third-party Data Collection 


Qualys Context XDR allows you to collect logs from third-party firewalls, enabling 
detection across multi-vendor environments while integrating third-party firewall alerts 
into a unified incident view. 


we will walk you through the steps required to ingest data from third-party devices into 
Qualys Context XDR. The setup process has three main steps: 


1. Provision an appliance 
2. Deploy a collector 
3. Configure log sources 


To know more information on above steps, refer the Online Help. 


Threat Management 


Threat Management 


Qualys Context XDR ingests logs from different sources and events from these logs are 
displayed on the threat management tab. All events from these logs are displayed under 
the events sub-tab. The signals sub-tab displays the various alerts raised by Qualys 
Context XDR based on the rules you have configured. The threat hunting sub-tab offers a 
summarized view of all signals raised by Qualys Context XDR. 


XDR DASHBOARD THREAT MANAGEMENT ADVANCED ANALYTICS RULES CONFIGURATION 29 


LastMonth v 


SIGNALS BREAKDOWN BY MITRE ATT&CK STAGES 


0 0 315 76.9K 315 0 0 0 0 0 0 0 
0 0 0 282K 40 40 0 0 0 0 0 0 
Intial Access Execution Persistence Frivlege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command end Contrat Exfiraton Impact 
TOP 10 SIGNALS BY MITRE TACTICS TOP 10 TRIGGERED/NOTABLE USERS BY SIGNALS COUNT TOP 10 TRIGGERED/NOTABLE ASSETS BY SIGNALS COUNT 
1 Tete 
€ DESKTOP-SA 17.8K 
4 winto2103.74K 
ea ak 
7]  CESCTOPASEHTI2 16.1K 
TECHNIQUE. TACTIC SIGNALS RISK SCORE USER NAME LOCATION SIGNALS ASSET NAME OPERATING SYSTEM SIGNALS 
AppCert DLLs Persistence 315 Okta Test * 20 DESKTOP-SA Microsoft Wi.. 17.8K 
Bypass User Account Control 76.6K WIN10-210 Microsoft Wi.. 3.74K. 
Qualys dev - 400 
Application Shimming 257 QualysSA Microsoft Wi. 1.83K 
BITS Jobs Defer 315 Qualys Consultant Oper.. - 7 Qualys-PCS 408 
DESKTOP-V3RH7I2 Microsoft Wi.. 16.1K 


Click each link below to learn more about each tab: 
Events Tab 

Signals Tab 

Threat Hunting Tab 

DLQ Tab 


Threat Management 
Threat Hunting Tab 


Threat Hunting Tab 


The threat hunting tab summarizes the details from the signals and events tab on a 
dashboard. This dashboard offers a single-pane view of your threat hunting posture. 


Use the time period filter on the top-left to focus on data related to a particular time 
frame. 


XDR DASHSOARD THREAT MANAGEMENT ADVANCED ANALYTICS RULES CONFIGURATION 20 


LastMonth v 


SIGNALS BREAKDOWN BY MITRE ATT&CK STAGES 


TOP 10 SIGNALS BY MITRE TACTICS TOP 10 TRIGGERED/NOTABLE USERS BY SIGNALS COUNT TOP 10 TRIGGERED /NOTABLE ASSETS BY SIGNALS COUNT 


Total 


TECHNIQUE acne semis ASK SCORE USERNAME cocarion sovas ISSETMNE OPERATING SYST SEMMIS 
AppCert DLLs Okta Test 20 DESKTOP-SA Microsoft Wi... 17.8K 
Bypass User Account Control WINTO-210 Microsotwt. 3.74K 
E Qualys dev 400 
Application Shimming QualysSA MircectW.. 1.83K 
BITS Jobs ER Qualys Cogit Oper. 7 Qualys-PCS MicrosoftWi.. — 408 
DESKTOP-VSRH7I2 Microsoft Wi... 16.1K 


Signals breakdown by mitre attack stages - This widget displays the different mitre 
attack stages and the number of signals generated per stage. 


Top 10 signals by mitre tactics - This widget displays the top 10 types of mitre tactics 
signals that were generated. 


Top 10 triggered/notable users by signals count - This widget displays the top 10 users in 
your organization with the most number of signals. 


Top 10 triggered/notable assets by signals count - This widget displays the top 10 assets 
in your organization that have triggered the most signals. 


Threat Management 
Signals Tab 


Signals Tab 


The signals tab displays all the alerts raised by Qualys Context XDR during the set time 
period, based on the rules you have activated. If you have not activated rules yet, see the 
Rules section to activate them. 


Threat Management ITI Signals 


Last 30 Days 


78.9K 


Total Signals 


1-50 of 78924 


‘SOURCE IPS 


USER RESPONSE 


TYPE 


RISKSCORE RULE NAME SOURCE CRITICALITY AGE 


Windows rule CORRELATION — S8 Medium  - - 6 days ago 0 = 


E 


Sep 24, 2021 08:08 pm 

TACTIC 

Defense Evasion 315 au Windows rule CORRELATION SE Medium - : 6 days ago 0 

Persistence 315 Sep 24, 2021 08:08 pm 

Privilege Escalat 77.8K 

aieo au Windows rule CORRELATION Sa Medium - Z 6 days ago 0 

Sep 24, 2021 08:08 pm 

TECHNIQUE 

AppCert DLLs 315 Windows rule CORRELATION ss Medium  - = 6 days ago 0 

Application Shim 257 Sep 24, 2021 08:08 pm 

BITS Jobe ns a Windows rule CORRELATION B Medium - : 6 days ago 0 

Bypass User Acc. 77.6K Sep 24, 2021 08:05 pm 

LOG SOURCES u Windows rule CORRELATION — Eg Medium - - 6 days ago 0 

24, 20 

Wecoy 461 Sep 24, 2021 08:05 pm 

asd Cn 7 | Windows rule CORRELATION Sim Medium - - 6 days ago 0 

— DES Sep 24, 2021 08:03 pm 

RULE NAME u Windows rule CORRELATION Sm Medium - : 6 days ago 0 
Sep 24, 2021 08:03 pm 

assetld : 298443 8.88K 

DENIED 315 au Windows rule CORRELATION — EM Medium - à 6 days ago 0 

PROXIED 257 Sep 24, 2021 08:03 pm 

Proxy rule 315 = 

Tet Decoy 461 Bau Windows rule CORRELATION SE Medium - s 6 days ago 0 

more ¥ Sep 24, 2021 08:03 pm 


For each signal triggered, the signals tab displays the risk score that is assigned based on 
several factors including the criticality of the rules triggering it. The signals tab also 
displays the notifications sent out in response to each signal under the response column. 
Each the number under the response column to view all the notifications sent. 


For each signal triggered, you can also view detailed information about each signal and 
the details of the asset triggering it. Use the quick actions menu beside each signal to view 
the signal details and asset details page. 


Note: Asset details are populated only when Qualys Context XDR associates the signal to 
an asset. 


Use Qualys QQL on this page to search for specific signals. For a complete list of QQL 
tokens supported on this page, click here. 


You can also use the quick filters from the left pane to narrow down to specific signals. 
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Threat Management 
Events Tab 


Events Tab 


Qualys Context XDR ingests logs from all the configured data sources on a continuous 
basis. Events from these data sources are displayed on the events tab. 


Threat Management 


Q Search for even O Last30dys v = 


83.5K 


Toulon | F 
Aa esi] tempe |) t I n selene Od ta 
TAGS 1-50 of 83524 0E E 
Windows: 82.8K * Dct1,2021 02:36:41 PM 3minutes ago a 
END-POINTS & Logon collectorld: 992f660.c3f2-45ea-Sedb-d32895451d7f collect Qct1,20210236:42PM customString10:S-1-5-18 customSting12:NT AUTHORITY customSiringld WINT0-210 customString&: Üx3e7 
Beny aa Id:4672 guid 54849625-5478-4904-a5ba-3e3b0328c30d 


orld: 992fb650-c3f3-45ea-edb-d3289545147F coll 
viceEventld: Microsoft Windows-Securty-Auditing:4624 ce 
2021 02:36:41 PM extemalld: 4624 guid: 54849625 5478-4994 


itd: Zf6bf331-1231-4699-9718-dc90Scaat305. 


(©)ecsetLastLogonUser:Acminstator wr: UNKNOWN ioc: UNKNOWN fim:NO_FILE.CHANGE FOUND asse 29998082 asset; 9920660 c3 Ses Ded d3209545 474 


Let’s take a quick look at the information this page offers: 


Event Details 

The event details section displays the details of all events received from the data sources. 
Each event has its details categorized under two buckets: 

- Event Values - Displays information as received from the data source 


- Qualys Enriched Values - Displays the information that qualys was about to enrich based 
on the correlations with data received from other integrations. 


For example, if you have integrated your organization's Active directory data with Qualys 
Context XDR, Qualys Context XDR attempts to correlate this data with the event. 
Similarly, using the IP address received on an event log, Qualys Context XDR enriches the 
event details with the asset details related to this IP. 


Click the arrow in the event header to view details. 


Threat Management 


LT HET Events BERI 


Q Search for events O  Last30Das € = 


83.5K 


Total Events 


TAGS 1-50 of 83524 00 w 

pet ase 

eir 2. creme 

Sis larc:SYSTEM score Spasial Logon csletord 9926850 CHE ASeuSedbd2200515107 co kme:001 1, 2021 023642 PM customtingI0:$818 ouatomSkingt2: NT AUTHORITY csstomStrngi9 VINIOZID cutomStingt: de | 
Widen Sect Audting§672_deveeMedsh Windows. device: WIN dvecType Operating Syatem devies Vendor Meroseft event 8Tu768 afl 41283149 AasaGTET coil: Aud Success 

Drs Ce 2:36:41 PM. smalld: 4672. guid: 54849625-5478-4904-a5ba-2e350328c3l 

Opertna sistem 824K 

ra c5 rotor v UNKNOVIN ice UNKNOWN Fx NO FILE CHANGE FOUND. o —— MÀ 


EVENTVALUES(25) ^ QUALYSENRICHEDVALUES() JSON VIEW 


action Special Logon E 
olleccrid 93210660-c312-4522-Gedb-c3269545167t 

collecterReceivedTime Oct 1,2021 023542 PM 

oustomSiring 1D s1518 

customSiringiz NTAUTHORITY 

custemString 13 wino210 


0x3e7 
Microsoft- Wndows-Secunty-Audting:4672 


Windows 


win10210 
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Threat Management 
DLQ Tab 


Search 


Use Qualys QQL to search for specific events on this page. For information on how to 
search, see the How to search topic. 


Time Filter 


Use the time-filter dropdown to view events that occurred with a time range. You can 
define your own time range or choose a pre-defined time frame. 


Events Bar Chart 


The Events bar chart displays a graph of the number of events that occurred during the 
defined time range. The bar chart helps visualize the events data and identify patterns for 
when events occur. 


Click each bar on the graph to get a focused view on the events that occurred during that 
time. Use the time-filter dropdown to reset the graph. 


Quick Filters 
Use the quick filters available in the left pane to view specific events. 


DLQ Tab 


The Dead Litter Queue (DLQ) tab displays all the logs that Qualys Context XDR could not 
parse for some reason. The tab displays details of each log message that was not parsed 
including the device vendor and type generating the log, the source name, and the parsing 
error. 


Threat Management Threat Hunting Signals — Events 


Today *" = 
1-50f 5 
Total Events 
DEVICE TYPE SOURCE NAME EVENT ID. DEVICE VENDOR. CREATED ON COLLECTED ON PARSING ERROR MESSAGE 
%lIdevicelistl.. %{[devicelist][0][na. 3e9b4ffa-3539-4e69-99e6-0f05: *e(devicelistllOl.. 4 hours ago 6 months ago I&ttags)l 12d24d1a-cce4-6968-80b8- 
Oct 13, 2021 03:24pm — Apr 15, 2021 07:55 am 3d21dc49121a 94735b78-a74c- 
DEVICE TYPE 4859-8c86-d12d6b770b74 
3c ([devicelist]Io][d. 3 
[i5 1 IAM Cisco ISE IAM 795a5112-0812-4074-bdc4-7be6 Cisco 4 hours ago a month ago Larokparsefailure] 12d24d1a-cce4-6968-80b8- 
IAM 1 Oct 13, 2021 03:24pm Sep 13,2021 12:27 pm 3d21dc49121a 4c135a82-257f- 
4d75-bf4a-f3a6ecbc2e90 
VENDOR *&[devicelis].. %f[devicelist][0][na.. 30b3d607-beb3-4953-b89e-c08( %{{[devicelist][0][.. 5 hours ago 6 hours ago ['é(tegs)] 12d24d1a-cce4-6968-80b8- 
3c ([devicelist]IO]L... 3 Oct 13, 2021 02:24 pm — Oct13,2021 01:13 prr 3d21dc49121a 4c135a82-2571- 
n 4d75-bf4a-f3aGecbc2e90 
Cisco 2 
*e([devicelisi].. %{[devicelist][0][na.. 1¢532901-9a6a-44b5-9415-f052 %{[devicelist][0][... 5 hours ago a day ago [&(tags)] e12d24d1a-cce4-6068-B0b8- 
SOURCE Oct 13, 2021 02:24pm Oct 12, 2021 03:08 pm 3d21dc49121a aeef8777-2512- 
* idevicelist]folln. 3 446a-8093-acf9dbD04bdO 
CU. 27Sept Jitu.. 1 Proxy CU. 27Sept Jitu e 642e431c-1697-4dbb-88d5-le7* Cisco 5 hours ago a few seconds ago Lorokparsefailurecisco 12d24d1a-cce4-6968-80b8- 
Cisco ISE IAM 1 Oct 13, 2021 02:24pm Oct 13,2021 07:27 pm 3d21dc49121a dadd1546-0d47- 
4022-a011-e35de3a53418 


Use the quick filters from the left to view specific logs. You can also use QQL tokens to 
search for logs. 


For each log that was not parsed, open the quick actions menu and then click View 
Message to view the actual message that was received from the device. 
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Threat Management 
DLQ Tab 


Click source details to view the configured source to collect this log and the collector on 
which the log was collected. 


< Source Details: Cisco_ISE_IAM 


Summary 


Cisco_ISE_IAM 


Model: Cisco Device Type: IAM 


Source Summary 


9 Sep 21 
Statistics 


Created Date Modified Date 
9Sep21 9 Sep'21 


9 Sep 21 


Modified Date 


Created By 
dashb_du 


‘Status: 
Configured 


dashb_du 


Created By 


COLLECTOR DETAILS 


syslog. collector 10.44.150.45 16Aug 
a Last Modified: Oct 13, 2021 07:33 pm 


Destination Server 


Host/IP Addre... 
Directory Conf... 
Description: 
Created By: 
Protocol: 

Port: 
Timezone: 
Status: 


Cron: 


Activity 


Config Fetcher 


Last Collection... 


VIEW ALL DETAILS 


localhost 
NA 
Syslog Collector Test 123 


dashb. du 


Oct 13, 2021 07:32 pm 


NA 
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Rules 
Create a New Rule 


Rules 


Qualys Context XDR uses rules to analyze events from different data sources and trigger 
alerts. Qualys offers several out-of-the-box rules that are built on a variety of different 
MITRE tactics and techniques. For each rule, you can also define an appropriate action 
when triggered. 


With Qualys Context XDR, you can either: 
Create a New Rule 

Activate Rules 

Export/Import Rules 


View Configured Rules 


Create a New Rule 


When you identify a threat, you can define specific rules for which you want Qualys 
Context XDR to raise alerts. Machine learning detection techniques can continuously 
refine rules to improve detection effectiveness and minimize false positives. 


To know more about the steps to create a new rule, refer the Online Help. 


Activate Rules 


Qualys Context XDR offers an extensive out-of-the-box library of rules for you to leverage. 
These rules are built on a variety of MITRE tactics and techniques. 


On the Qualys Context XDR UI, navigate to Rules > Rule Library to view all the pre- 
configured rules. The rule library page displays the MITRE tactic and technique used for 
each rule along with its criticality. 


| XDR DASHBOARD THREAT MANAGEMENT ADVANCED ANALYTICS RULES CONFIGURATION 


SE Rule Library MCC 


Total Rules 
RULE NAME CONFIGURED LOG SOURCES acres TECHNIQUES CRITICALITY DATE CREATED 
Windows Audit Log Cleared o Windows indi Low ‘Ape 7, 2021 05:29 pm 
CRITICALITY This rule will be created when win. 
HEU 3 Network scan attempts from ~ 0 Firewall, Qualys. vm Discovery Network Service Sc Medium ^ Apr 7, 2021 05:28 pm 
Low 19 : 
Network scan attempts from asse 
MEDIUM 18 
Asset with High risk flag dow... 0 Proxy, Qualys_ioc Initial Access. Drive-by Compromise High Apr 7, 2021 05:28 pm. 
Tactic Asset which is flagged as High ris 
c 1 Failure login attempts on ass. 0 Dig aa Widoss DON Oredivbel Accaes OI EIS Eevee Medium ^ Apr7,20210528 pm 
D cupquspuome mou 
7 
5 Scheduled Task Created, Mo. o Windows Execution Scheduled Task Low Apr 7, 2021 05:27 pm 
1 This rule will be triggered when a 
Multiple Login Failures from .. o Windows ER S Low Apr 7,2021 05:23 pm 
This rule wil be triggered when m. 
TECHNIQUE 
1 U-69 Windows Domain Trust .. o Windows Discovery Domain Trust Discovery Low Apr 7, 20210522 pm 
This rule will be triggered when ch 
z Multiple concurrent logins 0 Windows Initial Access Valid Accounts Low Apr 7,2021 05:22 pm 
% This rule will be triggered when m. 
1 
Malware IP access with multi.. — 0 Firewall Defense Evasion Indicator Blocking Medium Apr 5,2021 01:03 pm 
his nile willbe trinered when a 
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Rules 
Activate Rules 


To activate a rule from the Rule Library, use the Quick Activate option from the 
corresponding Quick Actions menu on the Rule Library page. 


Rule Library EEEN 


Total Rules 
RULE NAME CONFIGURED LOG SOURCES TACTICS TECHNIQUES CRITICALITY DATE CREATED 


Windows *—""" 0 Windows Defense Evasion Indicator Removal on Host LOW Apr 7, 2021 05:29 pm 
CRITICALITY This rule y Quick Actions 


EE Network — view details 0 Firewall, Qualys_vm Discovery Network Service Scanning Medium Apr 7, 2021 05:28 pm 


Low Network s 
MEDIUM Quick Activate 
Asset wit 0 Proxy, Qualys. ioc Initial Access Drive-by Compromise Apr 7, 2021 05:28 pm 
Configure and Activate 
TACTIC Asset whit 


Command and C. Failure login attempts on ass... Qualys_ioc, Windows Credential Access Brute Force Apr 7, 2021 05:28 pm 
Credential Access Failure login attempts on asset wi 


To view the details of a rule, use the View details options from the corresponding quick 
actions menu. The rule details page describes each rule in detail. It also displays the signal 
condition in natural language for easy understanding. To activate a rule from this page, 
click Quick Activate from the Actions menu on the top-right corner. 


< Rule Details: Windows Audit Log Cleared 


Basic Information Actions v 
Basic Information 


Windows Audit Log Cleared 
xl Last updated on Wed Apr 07 2021 
Criticality Low 
Description Natural Language query 


This rule will be created when windows audit log cleared event is detected. 
Trigger signal with LOW criticality when there is/are 
1 event/s from Source 1 - WINDOWS 
where 
(deviceEventid is Microsoft Windows-Security-Auditing:1102 


deviceEventid is Microsoft Windows-Security-Auditing:517 ) 


within 1 Minutes 


General details 
Rule Name Windows Audit Log Cleared 
Log Sources Windows 
Techniques Indicator Removal on Host 
Tactics Defense Evasion 
Library rule used 
Total alerts o 


Last updated 


Last signal generated 


Crested by auave5pc2 


Qualys Context XDR allows you to build your own rules by leveraging existing rules from 
the Rule Library. To configure an existing rule from the Rule Library, refer the Online Help. 
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Rules 
Export/Import Rules 


Export/Import Rules 
Qualys Context XDR allows you to configure new rules and export them for circulation. 
Follow these steps to export an existing rule: 


1. First, on the Qualys Context XDR UI, navigate to the Rules sub-tab under the Rules tab. 


DASHBOARD THREAT MANAGEMENT ADVANCED ANALYTICS RULES CONFIGURATION 
o - EA | Sere 1-90f9 
ust enam amenant uc sones momes noues wna — seus 
Inactive Denied proxy Prony Discovery System Owner/Ueer Discovery Medium —— 1, 56M 
7 days ago Mar 14,2021 01:54 am 
: Inactive. DENIED. Proxy Defense Evasion BITS Jobs Low 5.45M 
1 7 days ago Mar 14, 2021 01:58 am. 
1 
1 Inactive ascetld : 29844334 Windows Privilege Escalation Bypaoa Use: Account Cont! High 20.5K 
Privilege Exealati 3 7 day ago Jui28, 202111.59 am. 
Inactive. Windows rule Windows Pru Bypass User Account Conto! Low 108K 
TECHNIQUE Toys ago 2017, 2071 05/56 pm 
AppCer 1 
1 Inactive Firewall Rule Freva Defense Evasion Vitualizetion/Sandaar Eveson Medium — 35.6K 
1 7 days ngo Mar 14,2021 01:49 am. 
z Inactive Proxy rule Proxy Persistence AppGert DLLs High 5.45M 
* 7 days ago Mar 14,2021 01:48 am 
Inactive. Test Decoy Decoy High 461 
CRITICALITY 7 days ago Sep 24,2021 0520 pm 
2i 2 Inactive PROXIED E Priulege Eaealation Application Shimming Medium 5.45M 
Low 3 7 days ago Mar 15,2021 11:27pm 
MEDIUM a 


2. From the Rule page, click the Export rule option from the rule’s Quick Actions menu. 


Rule Library Behavior Rules 
Actions (1) v EIS [ 8 Import ruie 1-9of 9 
Total Rules E [imeem] a 

LAST UPDATED RULE NAME LOGSOURCES TACTICS TECHNIQUES CRITICALITY SIGNALS 

INS Denied proxy Proxy Discovery System Owner/User Discovery | Medium 1.56M 
TACTIC Quick Actions M| Mar 14,2021 01:54am 
Defense Evaaion z Edi DENIED Proxy Defense Evasion BITS Jobs Low 5.45M 
Discovery t Mar 14, 2021 01:58 am 
Lateral Movement 1 Activate 
Persistence 1 assetid : 29844334 Windows Privilege Escalation Bypass User Account Control High 20.5K 
Privilege Escalati 3 New dein Jui 28, 2021 11:59 am 

Library configuration 
s Windows rule Windows Privilege Escalation Bypass User Account Control Low 108K 
TECHNIQUE Export rule Jul 7, 2021 05:56 pm 
AppCert DLLs 1 
Application Shim. 1 Delete rule Firewall Rule Firewall Defense Evasion Virtualization/Sandbox Evasion Medium 35.6K 
Mar 14, 2021 01:49 
BITS Jobs 1 Delete signals for this rule pee een 
ass Us 2 

Sole — Proxy rule Proxy Persistence AppCert DLLs High 5.45M 
Pass the Ticket 1 7 days ago Mar 14, 2021 01:48 am 
AD AES 


3. On the Confirmation pop-up, click Export to export the rule to your local machine as a 
JSON file. 


You can import this exported JSON file to automatically use a rule in other subscriptions. 
To import a rule in JSON format, follow these steps: 

1. First, on the Qualys Context XDR UI, navigate to the Rules sub-tab under the Rules tab. 
2. On the Rules sub-tab, click Import Rule. 


3. On the Import Rule pop-up, drag and drop, or browse and upload the rule in JSON 
format. 


4. Finally, click Import to import the rule. The imported rule is displayed on the Rules sub- 
tab in the Active state. 
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Rules 


View Configured Rules 


View Configured Rules 


Navigate to the Rules > Rules sub-tab to view all your configured rules. The table on this 


page displays information around each configured rule. 


DASHBOARD THREAT MANAGEMENT ADVANCED ANALYTICS RULES CONFIGURATION 
Rule Library Behavior Rules 
A ’ E import Rule 1-9of 9 
Total Rules 

LAST UPDATED RULE NAME LOG SOURCES TACTICS TECHNIQUES. CRITICALITY SIGNALS 

Inactive Denied proxy Proxy Discovery System Owner/User Discovery Medium 1.56M 
TACTIC 7 days ago Mar 14, 2021 01:54 am 
eee z Inactive DENIED Proxy Defense Evasion BITS Jobs Low 5.45M 
Discovery 1 7 days ago Mar 14, 2021 01:58 am 
Lateral Movement 1 
Persistence 1 Inactive assetid : 29844334 Windows Privilege Escalation Bypass User Account Control High 20.5K 
Privilege Escalati. 3 7 days ago Jul 28, 2021 11:59 am 

Inactive Windows rule Windows Privilege Escalation Bypass User Account Control Low 108K 
TECHNIQUE 7 days ago Jul 7, 2021 05:56 pm 
AppCert DLLs 1 
Application Shim. 1 Inactive Firewall Rule Firewall Defense Evasion Virtualization/Sandbox Evasion Medium 35.6K 
BITS Jobs 1 7 days ago Mar 14,2021 01:49 am 
Bult ps 2 Inactive Proxy rule Proxy Persistence ‘AppCert DLLs High 5.45M 
Pass the Ticket J 7 days ago Mar 14, 2021 01:48 am 
2more ¥ 

Inactive Test Decoy Decoy High 461 
CRITICALITY 7 days ago Sep 24, 2021 05:20 pm 
Hen z Inactive PROXIED Proxy Privilege Escalation Application Shimming Medium 5.45M 
Low 3 7 days ago Mar 15, 2021 11:27 pm 
MEDIUM 3 


Use this page to: 
- Create a new rule. See the Create a New Rule section for more information. 


- View the status of each rule. A rule can be in the Active or in the Inactive state. Use 
Activate/Deactivate options from the Quick Actions menu next to a rule to toggle 
between the Active and Inactive states. 


- View details of each rule. Use the View details option from the rule’s Quick Actions 
menu to view the rule details. 


€— Rule Details: Denied proxy 


Basic Information CEU 
Denied proxy 
tai Last updated on Fr Sep 242021 1.56M 
Signals 
Criticality Medium 
Description Natural Language query 
Denied Prony 


Trigger signal with MEDIUM criticality when there is/are 
1 event/s from Source 1 - PROXY 
where 

(action is DENIED ) 


within 1 Seconds. 


General details 


Rule Name Denied proxy 
Log Sources. Proxy 

Techniques System Owner/User Discovery 
Tactics Discovery 

Library ule used View Configuration 

Total alerts 1561040 


Jul 31, 2021 07:36 am 


quayeSpe? 
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Rules 
View Configured Rules 


- Use qualys QQL tokens to search for specific rules. Refer the Online Help to see complete 
list of QQL tokens that you can use on this page. 


- View the signals associated with each rule. Click the signal count associated with a rule 
to view the entire list of signals. 


- Delete the signals associated with a rule. Use the delete signals for this rule option from 
the quick actions menu next to a rule to delete its associated signals. 


- Import/export a rule. See the Export/Import Rules section for more information. 


- Delete a configured rule. Use the delete rule option from the quick actions menu next to 
a rule to delete it. 


- Filter rule using the quick filters. Use the quick filter options from the left to quickly view 
the rules you are interested in. The filters are categorized under the following buckets: 


+ Tactic - Use filters under this bucket to filter rules by their associated MITRE tactic. 


+ Technique- Use filters under this bucket to filter rules by their associated MITRE 
technique. 


+ Status - Use filters under this bucket to view rules in the Active or Inactive state. 
+ Criticality — Use filters under this bucket to view rules by their criticality. 


+ Log Sources - Use filters under this bucket to view rules by their log sources. For 
example, view rules associated with all firewall sources. 
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Advanced Analytics 
Overview Tab 


Advanced Analytics 


The advanced analytics tab correlates your user data from active directory with the 
triggered signals and summarizes your user activity and risk score. 


TD 


The Advanced Analytics tab has 2 sub-tabs: Click each tab to learn more. 


Overview Tab 


Users Tab 


Overview Tab 


The advanced analytics overview tab is a summary/dashboard that lists the users with the 
highest risk score. For each user, the risk is calculated based on the risk score of the user's 
associated signals. 


To view the signals associated with each user, click the number under the Signals column. 


Click each user to view the user details. For more information, see the Users Tab section. 


XDR DASHBOARD THREAT MANAGEMENT ADVANCED ANALYTICS RULES CONFIGURATION 


Last30 Days v 


TOP 12 RISKY USERS All (3) 


USERNAME SIGNALS — RISK 
Okta Test 20 
Qualys dev 400 

Not available 


Qualys Consultant Operations 7 
Not available 


You can add multiple widgets on this page that focus on smaller user groups in your 
organizations by creating user lists. To add widgets, see the Configure User Lists section. 
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Advanced Analytics 
Users Tab 


Users Tab 


The users tab displays the list of all users received from active directory and their risk 
scores. For each user, the risk is calculated based on the risk score of the user's associated 
signals. 


LE an Lo an e A A "nr 
Advanced Analytics [EM Users 
2.24K 1-50 of 2238 
Total Users 

ISK SCORE a — USERNAME SAM ACCOUNT NANE DEPARTMENT ACIVESINCE — USER GROUPS 

004111 - Engineering Syearsago || rero-bitbucketusers | apps-Ohta-ADPIndia | appsoktabi ^. 
DEPARTMENT ime 

Manager, Engineering 
001210 - Executive 2 
001211 - Sales C. 3 004111 - Engineering 2yearsago | rerebitbucketusers | apps-Okta-ADPIndia = | appsoktabl 
001212 - Accoun. 60 S mare. n 
DARENT A Lead, Software Engineer 
o i = 004111 -Engineering 2yoars ag [seoNetsuite | seo Concur 
45more Y 6a.5K 
Senior Director of Engineering, Security Analytics 

LOCATION 
Albany a Okta Test Byearsago - 
OP F admin-ry@qualys.com 
wen i E3 003113 - Product Management 3yearsago | appeoktablugjeans || secNetSuite | apps-okta-RingCen 
Atlanta 12 il 
Austin 14 Director of Product Management Security Analytics and 
45 more V 

004111 - Engineering ayearago | rerebitbucketusers | apps-Okta-ADPIndia | sec NetSuite 

139K 2yeasago - 
EN 6yearsago - 


To view the details of each user, click view details from the quick actions menu. 


< User Detail 
Q Last detected 5months PEE Pee. 88.5K 
tle eta E — Lows 
Manager Eneineetng 004111 Engineering Pune, IN 
^ 
© 01 u1202000_ v 
GENERALDETALS  RISKSCORETREND TIMELINE ADDITIONAL DETAILS 
ov ume qms ovul202000.. v, — SOALSTIUEINE "PE 
B— 
s E 
E. 
g 
May E oem m 
BY SIGNALS 01 Jul 202000.. Y BY RULES 01 Jul 2020 00... ¥ 
asesore aon e me mea ws ios sum tubi weseer mone Wwe AY — seus 
EB ve 2mantheago  Medum v 11617046 o Inactive Devied pry Prony Discovery SuenOmej. Medum 1.56M 


The user details page offers several details about the user under four interactive widgets. 
Use the tab-level time range filter or the widget-level time range filter to view data 
accordingly. 


Click each tab listed below to learn more about it. 
General Details 

Risk Score Trend 

Timeline 


Additional Details 
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General Details 


Advanced Analytics 


The general details tab displays a summary of the signals triggered for the user: 


GENERALDETAILS — RISKSCORETREND TIMELINE ADDITIONAL DETAILS 


BY NITRE ATTBCKS 
x 
" m n 
BY SIGNALS 
RSK SIRE SGML NAME wi tema 
Denied proxy Zmonthsago Medium 
aü PROXIED. 2rmonthsago Medium 
H e _ aS 
|: o High 
Denied proxy 2monthe ago Medium 


01 Jul 20200... v 


01 Jul 20200... v 


wisi RESPONSES 
1921617048 o 
1001.16 o 
100146 o 
(TERT 0 
1921817046 D 


SIGNALS TIMELINE 


BY RULES 


suns 


Inactive 


Users Tab 


6 O71 Jul20200.. v 


ULE NAME LOGSDURCE 
Denied proxy Prog 
DENIED Proxy 
Proxy rule Prony 
PROXIED Proxy 
Explicit Content Viet Proxy 


ECHAIQUE 


System Owner/U. 


BITS Jobs 


AppCent DLLs 


cacy 


Medium 


01 Jul 20200.. v 


07 Jul 20200... v 


senus 


1.56M 


- By Mitre Attacks - The different signals triggered for the user based on the type of Mitre 


attack used by the signal 


- Signals Timeline - A timeline for when each signal was triggered 


- By Signals - The list of signals that were triggered for the user 


- By Rules - The list of rules that triggered the signals for the user 
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Risk Score Trend 


Advanced Analytics 
Users Tab 


GENERAL DETAILS — RISKSCORETREND TIMELINE — ADDITIONAL DETAILS 
o 18800 
a 
18400 
e— 
nas 


Displaying events from Mar 16, 2021 12:00 am to Mar 16, 2021 11:59 pm 
INTERNAL ACTIVITIES. 
 CCCURANCES 


IPADDRESS EVENT SOURCE 


No events available 


Signal Occurance 


EXTERNAL ACTIVITIES 


@ 01J020200. v 


OCCURANCES — IP ADDRESS EVENT SOURCE 


No events available 


The risk score trend tab displays a timeline of how the risk score moved with each signal 


triggered over the defined time range. 


The tab also displays two widgets that show the user's internal and external activities 


during the time period. 


Timeline 


GENERAL DETAILS 


TOTAL SIGNALS - 4216 


RISK SCORE TREND 


TIMELINE 


ADDITIONAL DETAILS 


8 


8 


san 


nm m 26 z hug shua 
» | dandus 200 Signals/ 299 Events 
> | suta-duis 159 Signals/ 159 Events 
> | Juls-Jul7 79 Signals/ 79 Events 
> | sul7-Jui9 212 Signels/ 212 Events 
> | ausum | 329 Signals/ 329 Events 
> | ana 2 | 318 Signals/ 318 Events 
> | surrs-suts | 322 Signals/ 322 Events 
» | duts-auT | 317 Signals/ 317 Events 
> | aurae | 315 Signels/ 315 Events 
> | Jul19-Jui21 | 310 Signals/ 310 Events 


n Eom 


Discovery Defense Evasion, 
Persistence, Prise Escalation 


Defense Evasion, Piiviege 
Escalation, Persistence, Discovery 


Discovery Persistence, Defense 
Evasion, Priviege Escalation 


Discovery Privilege Escalation, 
Defense Evasion, Persistence 


Persistence, Defense Evasion, 
Privilege Escalation. Discovery 


Discovery Defense Evasion, Privilege 
Escalation, Persistence i 


Discovery Persistence, Detense 
Evasion, Privilege Eseslation 


Diecovery Defense Evasion, Privilege 
Escalation, Persistence i: 


Defense Evasion, Persistence, 
Privilege Escalation, Discovery 


Discovery Privilege Escalation, 
redie 


€ 01Ju20210. v 
weeeac v || 01 Jul20210...¥ 

syste Opere Deer, ITS 
denim m! L| 
Beta sn aE 
—! 
AE US SEE s P | 
debian Shining 

sic aay 
platen Shimering BS labo, aE 
sprees 
Apte DLLs, BITS Jobs, aE 
n pares. it 
mu —Q 
deerit a 
Baas 
sys Once ce 

er cee Dis a 
posi a 
uU RTT 
Jobs, Application Shimming, ^g 
n : 17 | 
necem ue a 
‘System Owner/User Discovery, 

erty an 
ier cas L| 
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Advanced Analytics 


Users Tab 


The timeline tab displays all the signals displayed over the specific time period. Use the 
filters at the top-right corner of the graph to narrow the time period or filter by specific 


Mitre tactics. 


Click each time frame in the table below the graph to view details of the signals and the 
events that occurred during that time frame. 


RISK SCORE SIGNAL NAME 


Denied proxy 


EÀ DENIED 
nS 
PROXIED 
Denied proxy 
Proxy rule 
PROXIED 


TIME 


3 months ago 


3 months ago 


3 months ago 


3 months ago 


3 months ago 


3 months ago 


3 months ago 


299 Signals/ 299 Events 


Discovery, Defense Evasion, 
Persistence, Privilege Escalation 


CRITICALITY — HOST. RESPONSES EVENT TIME 


Unknown - = 


Unknown 


Unknown 


Unknown 


Unknown 


Unknown 


Unknown 


System Owner/User Discovery, BITS 
Jobs, AppCert DLLs, Application 
himming 


No events available 


‘H 


Additional Details 
The additional details tab lists the other details captured about the user. 


companyCode 


GENERAL DETAILS RISK SCORE TREND 


© 013420210.. v 


TIMELINE ADDITIONAL DETAILS 


Qualys 
N 
Sep6,2018 10:10:57 AM 


CN-Yashnant Jagdale,0U-Dey,0U-Indie,CLU-Asia,0U-Corpllse 


CN-Mana: 


ray DlU-Ops. U-HQ OU-US, OU-NorthAmerica. 


15.DO-corp DCequalys.DC«com 


004111 - Engineering 


Yashwant Jagdale 


Manager, Engineering 


FB4D0A57E1589539488753118985F903 


yjaadale@qvalyscom 
88517 


yjagdale 


The additional details tab lists the other details captured about the user. 
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Configuration 
Configure Data Collection 


Configuration 


The Qualys Context XDR Configuration overview screen summarizes your configurations 
for XDR on a single dashboard. 


Configure Data Collection - Displays a summary of the appliances, collectors, and event 
sources configured. It also displays the total number of event sources in the catalog 
available for you to configure. 


c 


Configure Response Templates - Displays the number of response templates configured 
for each response supported. 


Configure Special Objects - Displays the total number of special objects configured. It also 
displays the objects created and updated in the last 24 hours. 


c 


Configure Threat Intel - Displays a count of the Threat Intel source feeds configured. 


c 


Configure a Cloud Agent Profile - Displays a count of the log collection profiles configured 
for Qualys Context XDR. 


c 


Con 
XDR. 


gure User Lists - Displays a count of the user lists configured for Qualys Context 


Configure Data Collection 

The data collection configuration page consists of 4 tabs. 
Catalog 

Sources 

Collectors 


Appliances 
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Configuration 
Configure Data Collection 


Catalog 


The catalog tab displays a list of all third- party data sources and the type of collectors 
Qualys Context XDR supports. Toggle between sources and collectors to view supported 
data sources and collectors. 


Data Collection B oaio 
Q ; 
34 T 
Total Sources 
$ : 1 : e fi 
: ene : MINI : : 
- (QI cisco okt 
VENDOR Bluecoat Cisco Umbrella Okta Threat Connect 
ea S oun thet? Hos dun aa fonda 
d Request fox support 4 Configured Avaliable 1 Configured Available 
d 
J 
I 
SOURCE TPE proofpoint. i {paloalto i HH i wi i ve 
ee o ao 
aus € Prootpoint Pucato Mense " zem 
esed Bene tes —— Es 
RELEASE DATE Miseni dion mun peni RUM 
m" z 
Ee 2 ul 
S F 
esz A 
z u E : i ! i i i 
uen 2m. v “il: ARBOR Id Check Point 
TTephgPokt Moles Wegen econ tre "m checkpoint 
28 Ps Proxy Recorded Future boos Firewall 
4s Available. Available. Available. Available. Available. 
E 
/ 
s , i í ] 
1 servicenow * SSMOKESCREEN 5 Carbon Black. . AP 3 PR 
q 
1 a ServiceNow ‘Smokescreen Cbdefense. OpenLDAP Cisco OpenDNS 
E ServiceNow Decoy Endpoint Application Proxy 
E Available 1 Configured ‘Available 1 Configured Available E 


For each supported data source, the catalog page also displays the count of sources you 
have already configured. 


Note: The Catalog page also displays the data sources qualys is currently working on 
supporting and the data sources for which you have requested support. 
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Configuration 
Configure Data Collection 


Sources 


The sources tab displays all the configured event sources. The page also displays the 
number of sources configured based on the supported log formats. Click each format tile 
on the top of the page to quickly filter configured event sources of a specific log format. 


XDR DASHBOARD THREAT MANAGEMENT ADVANCED ANALYTICS RULES CONFIGURATION 20m 


Data Collection 


13 


Total Sources 


12 | 
SYSLOG CEF Splunk JSON LEEF 


MODEL 1-13 of 13 
LISTRECENED ON EVENT SOURCE MODEL 106 FORMAT PE HOST/IP ADDRESS sums 


7 days ago smokescreen, decoy Smokescreen svsLoG Live 1044.82 237 Configured 


7 days ago citrix vpn Citrix SYSLOG Live 1044.82.297 Configured 


10G FORMAT. 
syslog 12 
Splunk 1 


7 days ago Test. Bluecoat Proxy Bluecoat SYSLOG live 10.44.82.237 Configured 
a month ago Paloalto_Firewall27Aug Paloalto SYSLOG Live 1044.82.37 Configured 
Paloalto. Firewall27Aug Version: 9. 


3 months ago Linux NY Linux SYSLOG live 1044.82.237 Configured 
Linux NY Version: V1 


For information on configuring a new event source, refer to the configuring log sources 
section in the Online Help. 


Use the quick filters on the left or Qualys QQL to search for specific data sources. For 
information on the supported QQL tokens on this page, click here. 


For each configured event source, use the Quick Actions menu to: 


View Details - Displays a summary of the configured event source. The source details 
page displays information like who configured the source and when. It also displays the 
date it was modified, if any. On the right pane, the page also displays a summary of the 
collector the source is configured on. Click the view all details link to view details of the 
collector. 


View Events - Navigates to the Threat Management > Events to display all the events 
received through this event source. 


Delete - Deletes the configured event source 


Edit - Allows you to modify the configured event source 


26 


Configuration 
Configure Data Collection 


Collectors 


The collectors tab displays all the configured collectors. For information on deploying a 
new collector, refer the deploying a collector section in the online help. 


| XDR DASHBOARD THREAT MANAGEMENT ADVANCED ANALYTICS RULES CONFIGURATION £0 


Data Collection 


19 


Total Collectors 
COLLECTOR NAME LAST COLLECTION NEXT COLLECTION 


Error GB 4Jun AD 10.114.252.13 Not available Not available. 
STATUS a minute ago GB. 4Jun AD 10.114252 13 


Active SYSLOG 10.114.252.173 SYSLOG Not applicable Not applicable 
3 minutes ago SYSLOG. 10.114.252.173. 


Active AD. 10.114.252.173 AD 2 hours ago Oct 2, 2021 04:36 pm 
m 3 minutes ago AD. 10.114.252 173 


NY. syslog. 10.114.252.12 systoG Not applicable Not applicable 
NY.syslog-10.114.252.12 


EU2_Test_10.114.252.16-syslog SYSLOG Not applicable Not applicable 
EU Test. 10.114 252.16-sslog 


Use the quick filters on the left or Qualys QQL to search for specific collectors. For 
information on the supported QQL tokens on this page, click here. 


For each configured collector, use the Quick Actions menu to: 


View Details - Displays a summary of the configured collector. The collector details page 
displays information like who configured the source and when, along with the data 
collection details. The collector details page also displays the number of event sources 
configured on it. Click the Event Sources link to view a list of the event sources. 


Edit- Allows you to modify the configured collector 
Refresh - Refreshes the collector 


Delete - Deletes the configured collector. When deleted, Qualys Context XDR stops 
ingesting data for any of the event sources configured on this collector. 
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Configuration 
Configure Response Templates 


Appliances 


The appliances tab displays all the configured appliances. For information on deploying a 
new appliance, refer to deploying an appliance section in the online help. 


XDR DASHBOARD THREAT MANAGEMENT ADVANCED ANALYTICS RULES CONFIGURATION 205 


ae] 115018 


FRIENDLY NAME 


DEPLOYMENT LOCATION VERSION 1P ADDRESS 


Active US2_10.114.252.173 NA 10.114.252.173 
minutes 


Active EU2_Test_10.114.252.16 Jul 7, 2021 03:11 pm EU - 10.114252 16 


Unregistered test one for sagar Sep 29, 
2 days ago 


Unregistered QG2_10.114.252.177 Sep 24, 

7 days ago 

Unregistered 1.2.4.0-10.114.252.231 Aug 25, 2021 01:32 pm 

a month ago 

Unregistered 1.2.4.0-10.114.252.232 Aug 25, 2021 03:26 pm Pune 

Inactive. NY-6July Jul 6,2021 11:14 am Pune 10.114.252.12 
nth ag 


Inactive EU2. 13th. june. 10.114.252.16 Jun 12, 2021 11:29 pm IND 10.114.252.17 


Use Qualys QQL to search for specific appliances. For information on the supported QQL 
tokens on this page, click here. 


For each configured appliance, use the Quick Actions menu to: 


View Details - Displays a summary of the configured appliance. The appliance details 
page displays information like the appliance's IP address, Host name etc. The logs tab of 
the appliance details page displays a list of the logs received on the appliance. 


Delete - Deletes the configured appliance 


Configure Response Templates 


Qualys Context XDR allows you to configure response templates for different types of 
responses based on the signals triggered. These responses can be sent over an email, or 
posted to Slack, or through a pager notification. 


You can define multiple templates for each application and then use these templates as a 
response to rules. 


See the Create a New Rule for more information on using the response templates in rules. 


Configure Special Objects 


A special object is basically an 'array' of sorts which can be used when defining rules. 
When you create a special object, you can use the object in multiple rules without having 
to repeat the list in every rule. 


Refer the Online Help for the steps to configure a special object. 
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Configuration 
Configure Threat Intel 


Configure Threat Intel 


Qualys Context XDR offers the ability to enrich your data by integrating it with different 
3rd party threat intelligence feeds. Qualys Context XDR correlates the event logs ingested 
from various sources with these threat feeds to offer interesting insights into your security 
data. 


Refer the Online Help for steps to configure a threat intel feed. 


Configure a Cloud Agent Profile 


After you have enabled XDR via a configuration profile and activated agents for XDR, you 
now need to create a Cloud Agent Profile to define what logs you want to collect from 
hosts, where you want to collect them, and the assets you want to collect from. 


Refer the Online Help for steps to configure a cloud agent profile. 


Configure User Lists 


Qualys Context XDR allows you to create smaller user groups to focus on risks associated 
with these users. For example, you might want to focus on the users in a certain 
department and monitor the scores around those users. 


Refer the Online Help for steps to configure a new user list. 
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Configuration 
Configure User Lists 


